Channels

Services

Security fix leads to PostgreSQL lock down

The developers of the open source PostgreSQL relational database have announced that they are locking down access to the PostgreSQL repositories to only committers while a fix for a "sufficiently bad" security issue applied to the code. The lock down is temporary and will be lifted once the next release of the open source database is available. The measure should help ensure that bad actors cannot monitor the source code changes in the database and craft an exploit to the unidentified flaw until there are fixed packages available for users to install.

The decision, taken by the core committee, is intended to be an exceptional process rather than a routine event and they "apologize in advance for any disruption" adding that "It seems necessary in this instance, however".

The PostgreSQL Global Development Group has also given advance notice of the update and are strongly urging users to apply the update as soon as it is available as it is for a "high-exposure security vulnerability". The notice is designed to enable users to schedule time around the release to install the update on production systems. The release is expected on 4 April and will only require the installation of the updated packages and restarting of the database service.